Someone is attacking your network. However, they're not exactly using their machine to do it - they're using a VM running on their system. The VM's network adapter is configured in "bridged mode" so that the VM gets its own IP address, and effectively functions on the network as a separate machine from the host system.

Questions:

Without physically walking up to the attacker's system, and only using information available across the network, are there ways to determine:

so is the attacker on your physical network, is he using an IP of your subnet? I guess yes, but you can make it more clear.
–
johnMay 11 '11 at 9:49

@john - The host machine would have to be connected to the network either by cable or Wi-Fi, as far as I know. There's another question I've not looked into yet: Can a VM be connected to a network while the host isn't?
–
IsziMay 11 '11 at 13:39

I'd imagine a VM could connect to your network by VPN for example.
–
StephenPaulgerMay 13 '11 at 16:30

3 Answers
3

You don't say why you would care whether the attacker is using a VM. I'd say it is irrelevant. It's just a distraction. So I'd unask that part of the question.

As for how to tell what machine on the network is the host system, your ability to do this in this special situation is about as good as the situation when there is no VM. You have DHCP and ARP logs to go by. If you can identify the IP address, go to your Ethernet switch and find which physical port that IP address is connected to -- then have a nice stroll to that port and have at it. Don't forget to bring your clue stick.

First of all, I assume that you have already located the IP address of the attacker, using an IDS for example. In this case:

Are there ways to determine that the attacker is using a VM at all?

One way I can think of, provided you have the IP, is to find the MAC of the attacker. Usually it will point to the manufacturer, which will be vmware or some other similar.
nmap can be used for this sort of fingerprinting.

Are there ways to determine Which machine on the network is the host system?

This is a really interesting question - and I don't have an answer, and I am not sure one exists.
I suppose you can locate the network segment if you have a proper switching infrastructure, not sure if you can do anything more than that remotely.

Of course, if you are really determined, you can try to find the IP the opposite way:
Assuming you have a managed switch, try locking MAC addresses to ports, one by one. Eventually you will stop having communication with the guest, when you lock the mac address of its host to the switch port.
Also you should be able to see if more than one mac addresses are connected to one port, if using a decent switch (unfortunately I don't have a link available, but I've read about functionality like that).

Essentially the answer depends on whether you can see the MAC address of the VM.

If you can get access to the MAC addresses of the hosts that the attacker is using (either by getting access to the switch that it's connected to or by scanning from the same subnet), then determining that a VM is in use, should be fairly straightforward as virtual network cards have specific OUIs which are distinctive (this is of course assuming that the attacker hasn't changed the MAC address to be less distinctive)

In terms of tracking them down, on a wired network a managed switch may have the capability to show which port a MAC address is on (definitely Cisco switches can do this). If the network is wireless that could be a bit more tricky. You could determine the AP that the client is connected to (again assuming that information is made available by the AP) and then use a scanner (eg, kismet) to look for the MAC address of the attacker and physically track it down.

This sounds odd to me, I know that if you copy a VM, it will retain the MAC of the previous copy. So if I then copy the VM to another machine, is the MAC supposed to change?
–
AviD♦May 11 '11 at 22:01

With VMs there's almost always 2 different options, "copy" and "move" (or something to that extent). With "copy" you're changing the MAC addresses of every NIC, while with move you're saying that it is the original VM and the MACs stay the same.... or should.
–
OrmisMay 12 '11 at 13:26

@AviD as @Ormis says in partially depends on how you move the VM (at least for VMWare) but regardless of the MAC changing the OUI will remain the same and that identifies the machine as being a VM.
–
Rоry McCuneMay 12 '11 at 18:57

@Rory, but doesnt that mean you won't be able to identify which it is?
–
AviD♦May 12 '11 at 19:01

@AviD Are you thinking of the second part of the original question around which actual host machine is involved? If so, there's no tie between the VM MAC address and the host MAC address (AFAIK), the way to track it down is to find out which switch port the VM MAC address is on and then see which physical host is on the same switch port, thereby finding out which host is involved.
–
Rоry McCuneMay 12 '11 at 19:45